Tag Archives: Sites and Services

Have you ever just been starring at your computer saying, “Come on already!” Or, “if you don’t hurry up, I am getting out a soldering iron and converting you into a toaster!” No? Are you lying to me? Am I just impatient? Well, if I am, I am not alone. However, experience has been kind enough (read: I am still alive) to teach me that sometimes, it just takes time.

In general, patience is hard learned in computer work. I remember coming up with the Starbucks rule. When creating VPN changes, make your changes and then go to Starbucks; when you get back it will be working. When it comes to Active Directory, it is actually worse. Patience isn’t needed just to get the things working: patience is required so that Active Directory isn’t damaged by troubleshooting.

You see, when doing Active Directory work, you sometimes need to slow down. Why? It all takes time. KCC, time synchronization and replication over however many links data has to go across. This is just how Active Directory works since it is a multi-master system. And before anyone gets any ideas… yes, we all want it to be a multi-master system and accept this as normal.

As a general rule, when doing a major Active Directory project, work at the pace of the slowest task. Let the changes matriculate. They need to. In fact, over time it appears that once everything is done and complete… give it a good twenty four hours and then double check it.

Twenty four hours? Am I insane? Nope.

Take the time and validate that the changes matriculated. Why? You see one of the biggest pains in Active Directory is when you don’t realize your environment has some KCC, replication or time errors… and the changes you think went through… didn’t. This does happen. So don’t rush it.

When you rush it, you make mistakes. Like not backing up every domain controller when doing a domain transitions or not documenting the changes you are making in a migration. Take the time that the job actually requires.

Oh, and since you’re now taking the time to do it right, how about we all try and remember to finish the job. Active Directory projects are left incomplete with epic proportions. Take the time, and finish it. Really finish it. Yes, even fill out sites and services. It is all important and makes it easier for those who come after you.

When working with Active Directory just take it methodically. Then make sure the replication is done. Rush and you may make a mistake and end up rebuilding your forest.

We all love Microsoft’s active directory. It just works. You install it and walk away. Right? Nothing else to do. Right?

If a car company built a car, but only protected the outer shell from rust. painting, bluing or annealing nothing but the outer shell, the body. Not the under carriage. No parts of the engine… nothing but the outer shell. That car would run. It would run as well as any car with a bit better finishing. Heck, initially it might even run a bit better since it is lighter. But how long would it be till the rust literally ate the car apart from the inside out? Ask anyone who has ever been in a cold climate, they know: it wouldn’t last very long at all. Heck, it isn’t uncommon in areas that salt their roads for cars to last half a decade with complete sealing.

So why don’t people finish setting up Microsoft’s active directory? Why not just setup sites and services, setup organizational units… and maybe ever group policies? No, I don’t know the answer. In this case I just know this is an industry wide problem. This is what leads to a great many problems that most administrators either don’t understand or often, just have no idea it even can occur.

In general, systems administrators’ love active directory. It is logical and it just works. You install it and walk away. Or at least that is the realization I have had after viewing nearly a hundred installations of active directory over the last decade. People install active directory and say, “we’re done!” This is a fallacy.

When you simply install active directory, and walk away, you haven’t really setup anything. This is normally referred to as installation, not setup. And this can also be referred to as a disaster in waiting.

As a specialist in active directory, I always check on errors and events. Or as Microsoft states, troubleshooting active directory starts with: “an event reported in an event log;” an alert generated by a monitoring system, such as Microsoft Operations Manager (MOM);” or “a symptom reported by a user or noticed by IT personnel.” Working from one of the first two are a lot easier than the last. Granted, if you didn’t setup active directory… many alerts are worthless or just don’t generate.

When active directory is fully configured, you get to view a massive amount of information. Often information to the point of information overload. And yes, you read right: information not data. When it isn’t configured, you basically give up on troubleshooting. Why? Because in general you don’t get the alerts that you should have had to work from.

When you setup active directory, when you completely setup active directory, things really begin to work. Your alerts actually begin to mean something (and in many case, simply begin being available). You can actually see when you are having issues. And most importantly: when something does go wrong, you can fix it.

So, when you see that active directory is simply installed, ask yourself: why didn’t someone they finish it? If it’s your work: why wouldn’t you finish it? I always hear the same from every engineer or administrator I have asked have said the same thing: it works.

Of all the answers, “it works” is completely without merit. Professionals I have great respect for have been included in this group. “It works” is not the answer. It is a disaster.

The old saying is that if you take on a job, work it till completion. So I recommend finishing active directory. Then it really works.

Tech Tip #1:

The command to run a general domain diagnostic of all domain controllers in your domain and export to a log are listed here.